MDC-2 - Misplaced Pages

Cryptographic hash function

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "MDC-2" – news · newspapers · books · scholar · JSTOR (February 2019) (Learn how and when to remove this message)

In cryptography, MDC-2 (Modification Detection Code 2, sometimes called Meyer–Schilling, standardized in ISO 10118-2) is a cryptographic hash function. MDC-2 is a hash function based on a block cipher with a proof of security in the ideal-cipher model. The length of the output hash depends on the underlying block cipher used.

Algorithm

For a given message $M$ to hash and a given block cipher encryption function $E$ , the MDC-2 algorithm proceeds as follows. Let $n$ be the block length, $A_{1},B_{1}$ two different constants of size $n$ . If $M=M_{1}||..||M_{m}$ where each $M_{i}$ has size $n$ , then the hash $V_{m}||W_{m}$ of the message is given by:

for i = 1 {\displaystyle i=1} to m {\displaystyle m} :
- $V_{i}=M_{i}\oplus E(M_{i},A_{i})$
- $W_{i}=M_{i}\oplus E(M_{i},B_{i})$
- $V_{i}^{L}||V_{i}^{R}=V_{i}$
- $W_{i}^{L}||W_{i}^{R}=W_{i}$
- $A_{i+1}=V_{i}^{L}||W_{i}^{R}$
- $B_{i+1}=W_{i}^{L}||V_{i}^{R}$
return $A_{m+1}||B_{m+1}$

MDC-2DES hashes

When MDC-2 uses the DES block cipher, the 128-bit (16-byte) MDC-2 hashes are typically represented as 32-digit hexadecimal numbers. $A_{1}$ is chosen as the 8-byte string 5252525252525252 and $B_{1}$ is chosen as the 8-byte string 2525252525252525 (written as hexdigits). Additionally, before each iteration the first byte A of $A$ recalculated as (A & 0x9f) ^ 0x40 and the first byte B of $B$ is recalculated as (B & 0x9f) ^ 0x20.

The following demonstrates a 43-byte ASCII input (which is padded with five zero-bytes so its length is a multiple of the DES block size of 8 bytes) and the corresponding MDC-2 hash:

 MDC2("The quick brown fox jumps over the lazy dog") 
  = 000ed54e093d61679aefbeae05bfe33a

Even a small change in the message will (with probability) result in a completely different hash, e.g. changing d to c:

 MDC2("The quick brown fox jumps over the lazy cog") 
  = 775f59f8e51aec29c57ac6ab850d58e8

The hash of the zero-length string is:

 MDC2("") 
  = 52525252525252522525252525252525

Patent issues

MDC-2 was covered by U.S. patent 4,908,861, issued on March 13, 1990 but filed by IBM on August 28, 1987. Because of patent concerns support for MDC-2 has been disabled in OpenSSL on most Linux distributions and is not implemented by many other cryptographic libraries. It is implemented in GPG's libgcrypt.

The patent was due to expire on August 28, 2007, twenty years after the filing date. It actually expired in 2002 because IBM did not pay the renewal fee. The Canadian patent was not renewed and no European patent was granted so MDC-2 can now be freely used.

Notes

Steinberger, John (June 23, 2007). "The Collision Intractability of MDC-2 in the Ideal-Cipher Model". Advances in Cryptology – EUROCRYPT 2007. Springer-Verlag. pp. 34–51. doi:10.1007/978-3-540-72540-4_3. Retrieved January 31, 2008.
Cite error: The named reference undefined was invoked but never defined (see the help page).
"USPTO - Patent Maintenance Fees". United States Patent Office. March 13, 2002. Retrieved 2008-01-31. {{cite journal}}: Cite journal requires |journal= (help) (Click on "Bibliographic data".)

v t e Cryptographic hash functions and message authentication codes
List Comparison Known attacks
Common functions	MD5 (compromised) SHA-1 (compromised) SHA-2 SHA-3 BLAKE2
SHA-3 finalists	BLAKE Grøstl JH Skein Keccak (winner)
Other functions	BLAKE3 CubeHash ECOH FSB Fugue GOST HAS-160 HAVAL Kupyna LSH Lane MASH-1 MASH-2 MD2 MD4 MD6 MDC-2 N-hash RIPEMD RadioGatún SIMD SM3 SWIFFT Shabal Snefru Streebog Tiger VSH Whirlpool
Password hashing/ key stretching functions	Argon2 Balloon bcrypt Catena crypt LM hash Lyra2 Makwa PBKDF2 scrypt yescrypt
General purpose key derivation functions	HKDF KDF1/KDF2
MAC functions	CBC-MAC DAA GMAC HMAC NMAC OMAC/CMAC PMAC Poly1305 SipHash UMAC VMAC
Authenticated encryption modes	CCM ChaCha20-Poly1305 CWC EAX GCM IAPM OCB
Attacks	Collision attack Preimage attack Birthday attack Brute-force attack Rainbow table Side-channel attack Length extension attack
Design	Avalanche effect Hash collision Merkle–Damgård construction Sponge function HAIFA construction
Standardization	CAESAR Competition CRYPTREC NESSIE NIST hash function competition Password Hashing Competition NSA Suite B CNSA
Utilization	Hash-based cryptography Merkle tree Message authentication Proof of work Salt Pepper

v t e Cryptography
General	History of cryptography Outline of cryptography Classical cipher Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Secure Hash Algorithms Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Machines Cryptojacking malware Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network
Mathematics	Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography
Category

Category:

Cryptographic hash functions

Algorithm

MDC-2DES hashes

Patent issues

See also

Notes